[Oisf-devel] PCRE '/R' bug?

[Edward Fjellskål]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"/[a-z]{5}.html"/R"


is there a " to much?

E

On 01/31/2014 10:40 PM, Harley H wrote:
> Hello, I was going to submit this through Redmine but I'm not
> receiving the account activation email. I'm trying to write a rule
> like this:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $WEB_PORTS (msg: "Testing
> Rule"; content: "baduricontent"; http_raw_uri; pcre:
> "/[a-z]{5}.html"/R"; sid: 123; rev: 1;)
> 
> But am receiving this error message:
> 
> 31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - No preceding content or uricontent
> or pcre option 31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
> $HOME_NET any -> $EXTERNAL_NET any (msg: "Testing URL"; content:
> "baduricontent"; http_raw_uri; pcre: "/[a-z]{5}\.html/R"; sid:
> 98765; rev: 1;)" from file 
> /root/Desktop/Local_Workspace/IDS_Rules/testing.rules at line 1
> 
> 
> When I get rid of 'http_raw_uri' and replace that 'content' with 
> 'uricontent' the same error message is produced.
> 
> -Harley
> 
> 
> 
> _______________________________________________ Suricata IDS Devel
> mailing list: oisf-devel at openinfosecfoundation.org Site:
> http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/ List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
> 
Redmine: https://redmine.openinfosecfoundation.org/
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJS7B1gAAoJEAf3kNGaI009hbcH/jhJLiiAvJsaotlvurDnST9Q
0TZ/VH7bVXV5hH59zw0hSM9XZppzaNXuoPtUAGeFU4Mp4ZsAvy3W404FmYjMN9/7
QcqCl/Fx5Yw2+ZqmNo3bgo0kjC0vQ9n4YnsGg2d6HY5Dn1jNTNAZQ2W49fzRfqHw
BLFCdFWGD8Kkd+iDoXL8bmfvIL2G71oIEIA8VKC7CnBNQaoAcMpTvsK6nxfY1iGk
/aPfMGwRcIHSbKclQAUKZGb3fChmNqDQhM1xJbBGdjaIsXpofAfslbFFhZxCjjd6
52kIoVJgh8SmU+tHmyEoOqe5mVxpH75hsnB8i7fIdp7uVKYO1ivrMswQ5hV31Lo=
=Tsxj
-----END PGP SIGNATURE-----